hey try this!
you can use
index=<your_index> | timechart count span=1d | timewrap m | sort- _time
Run this for
last two months!
I hope this helps you!
building off of this answer
here is some documentation on timewrap:
Timewrap is an app in Splunkbase and was made into a Splunk function either in 6.5 or 6.6, I believe. So if you have an older version of Splunk, you may need to install https://splunkbase.splunk.com/app/1645/
if you want a comparison for percent change day over day, add this:
| rename 1month_before as last_month |eval perc_change=round(((latest_month - last_month)/abs(last_month))*100,2)